[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH revised

From: Sam Mason
Subject: Re: SSH revised
Date: Thu, 23 Mar 2006 21:43:34 +0000
User-agent: Mutt/1.5.11

On Mon, Mar 20, 2006 at 11:16:49PM +0100, Marcus Brinkmann wrote:
> Let me give you my abstract models for terminals to have a solid
> comparison: A terminal is a set of physical and logical devices.  At
> log in, a capability to a directory (containing capabilities to these
> devices and some extra info) is provided to the user's account, where
> it will be attached to a session.  At log out, the terminal capability
> is revoked by the system, the hardware is reset, and the next user can
> log in (I left out a couple of details that are easy to work out).

This seem's like a general problem.  Somehow we need to allow something
from outside the system (the network in this case) to contact some central
service (the SSH server) and expect to come back with information from
a specific user.

Because you haven't gone into specifics, this is sort of how I imagine
the login process working:

  1. the system (or maybe some user code) recieves a request to login
  to the system.  Some credentials (username/password) are supplied that
  identify a particular account as being the one to login to.

  2. this authentication code would then create a directory containing
  information about the login, including capabilities to the terminal
  (or GUI, or what ever the user is using) that the user logged-in from.

  3. this directory would be passed to some agent that the user had
  previously registered with the system to allow login's to occur

  4. the user's agent would then be able to construct an appropiate
  environment and execute an appropiate shell

This relies on each user registering some login agent with each
authentication process in the system (i.e. local terminal login, SSH
login, etc.) before logins to the user's account can happen.  This raises
the question of what to do with an account that severs all ties with
the outside world -- which could very well be a very useful thing to do!

Back to the main question.  If I've got the process above correct, why
can't the SSH server just construct a similar object to the one created by
a normal terminal login and give it to the user's login agent?  assuming
the user has registered its login agent with the SSH server of course.

> I think that approach 1 may actually be the right one---it easily
> generalizes to all sort of internet services.  For example, personal
> web pages could be available under username.hostname.org and not under
> hostname.org/~username/.  Of course, uhm, the lack of IP addresses in
> IPv4 is a bit of an obstacle, to say the least.

I think you may get a lot of friction with existing users who say you
should be able to do what's always been done.  I'm happy to be wrong
about this though.

That's my take on it anyway!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]